---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: webhook
  namespace: d8-cert-manager
  {{- include "helm_lib_module_labels" (list . (dict "app" "webhook")) | nindent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: d8:cert-manager:webhook:requester
  {{- include "helm_lib_module_labels" (list . (dict "app" "webhook")) | nindent 2 }}
rules:
- apiGroups:
  - admission.cert-manager.io
  resources:
  - certificates
  - certificaterequests
  - issuers
  - clusterissuers
  verbs:
  - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: d8:cert-manager:webhook:auth-delegator
  {{- include "helm_lib_module_labels" (list . (dict "app" "webhook")) | nindent 2 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- apiGroup: ""
  kind: ServiceAccount
  name: webhook
  namespace: d8-cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: d8:cert-manager:webhook:auth-reader
  namespace: kube-system
  {{- include "helm_lib_module_labels" (list . (dict "app" "webhook")) | nindent 2 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: webhook
    namespace: d8-cert-manager
